Theme for Day 2
z Risk
Management
z Best Practice
Practical Security Workshop Nov. 2003
1
Overview Day 2
09.00 Coffee
09.15 Managing security in the DAME Project
(Howard Chivers, York University)
10.00 Breakout sessions: Managing risks in your projects
(including coffee at 11.00)
12.30 Lunch
13.45 Reports from workshop groups
14.15 Establishing secure practices
(Peter Ryan, Newcastle University)
15.00 Closing remarks: Security in e-Science projects First steps in the right direction
(Mike Surridge, IT Innovation & Angela Sasse, UCL)
Practical Security Workshop Nov. 2003
2
Questions for Breakout
Groups (1)
z Applying
Risk Management
z Which perspective do you want do
adopt?
– Users
– Developers
- System manager
- Project manager
Practical Security Workshop Nov. 2003
3
Re-cap risks
z Threat:
Harm that can happen to an asset
z Impact: A measure of the seriousness of a
threat
z Vulnerability: a weakness in the system
that makes an attack more likely to succeed
z Risk: a quantified measure of the likelihood
of a threat being realised
Practical Security Workshop Nov. 2003
4
Questions for Breakout
Groups (2)
z
z
Select 2-3 assets you identified in the first
session
Re-consider the risks they face
– Threats
– Vulnerabilities
– Impact
z
Identify options for managing risk
– Avoidance
– Acceptance
– Reduction
Practical Security Workshop Nov. 2003
5
Questions for Breakout
Groups (3)
z Consider
costs and benefits of each
option
– For your perspective
– If you have time: for other stakeholders
z Does
this process work?
z If not, why not?
z What comments/questions do you have?
Practical Security Workshop Nov. 2003
6